Abstract: In various embodiments, a device classification service forms a device cluster by applying clustering to attributes of endpoint devices observed in one or more networks. The device classification service applies an initial device classification rule to the endpoint devices in the device cluster, based on one or more of the endpoint devices in the device cluster matching the initial device classification rule. The device classification service computes metrics for the initial device classification rule that quantify how well the attributes of the endpoint devices in the device cluster match the initial device classification rule. The device classification service decides, based on the metrics, whether to associate the initial device classification rule with the device cluster or generate a new device classification rule based on the device cluster.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: In one embodiment, a network assurance service that monitors a network detects anomalies in the network by applying one or more machine learning-based anomaly detectors to telemetry data from the network. The network assurance service receives ranking feedback from a plurality of anomaly rankers regarding relevancy of the detected anomalies. The network assurance service calculates a rescaling factor and quantile parameter by applying an objective function to the ranking feedback, in order to optimize the rescaling factor and quantile parameter of the one or more anomaly detectors. The network assurance service adjusts the rescaling factor and quantile parameter of the one or more anomaly detectors using the calculated rescaling factor and quantile parameter.

Abstract: In one embodiment, a network element in a network maintains a probabilistic data structure indicative of devices in the network for which telemetry data is not to be sent to a device classification service. The network element detects a traffic flow sent from a source device to a destination device. The network element determines whether the probabilistic data structure includes entries for both the source and destination devices of the traffic flow. The network element sends flow telemetry data regarding the traffic flow to the device classification service, based on a determination that the probabilistic data structure does not include entries for both the source and destination of the traffic flow.

Abstract: In one embodiment, a supervisory service for a software-defined wide area network (SD-WAN) tracks a performance metric for a tunnel in the SD-WAN. The supervisory service computes a cumulative distribution function (CDF) for the tracked performance metric. The service assesses curvature of the CDF for the tracked performance metric relative to a service level agreement (SLA) threshold of an application for that performance metric. The service controls assignment of traffic for the application to the tunnel, based on the assessed curvature of the CDF for the tracked performance metric relative to the SLA threshold of the application for that performance metric.

Abstract: In one embodiment, a service in a network samples application traffic throughputs for a set of applications present in a network. The service generates a throughput model based on the sampled application throughputs for the set of applications. The service performs anomaly detection on wireless throughput measurements from the network by comparing the wireless throughput measurements to the generated throughput model. The service sends an anomaly detection notification based on a determination that the wireless throughput measurements from the network are anomalous.

Abstract: In one embodiment, a device in a network receives information regarding a network anomaly detected by an anomaly detector deployed in the network. The device identifies the detected network anomaly as a false positive based on the information regarding the network anomaly. The device generates an output filter for the anomaly detector, in response to identifying the detected network anomaly as a false positive. The output filter is configured to filter an output of the anomaly detector associated with the false positive. The device causes the generated output filter to be installed at the anomaly detector.

Abstract: In one embodiment, a device identifies a new traffic flow in a network. The device determines a service level agreement (SLA) associated with the new traffic flow. The device uses a machine learning model to predict whether a particular tunnel in the network can satisfy the determined SLA of the traffic were the traffic flow routed onto the tunnel. The device performs call admission control to route the new traffic flow onto the particular tunnel, based on a prediction that the tunnel can satisfy the determined SLA of the traffic.

Abstract: In one embodiment, a device classification service classifies a device in a network as being of a first device type. The service applies a first network policy that has an associated expiration timer to the device, based on its classification as being of the first device type. The service determines whether the device was reclassified as being of a different device type than that of the first device type before expiration of the expiration timer associated with the first network policy. The service applies a second network policy to the device, when the service determines that the device has not been reclassified as being of a different device type before expiration of the expiration timer associated with the first network policy.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: In one embodiment, a device receives observed access point (AP) features of one or more APs in a monitored network. The device clusters the observed AP features within a latent space to form AP feature clusters. The device applies labels to the AP feature clusters within the latent space. The device uses the applied labels to the AP feature clusters to describe future behaviors of the one or more APs in the monitored network.

Abstract: In one embodiment, a supervisory service for a software-defined wide area network (SD-WAN) detects seasonal service level agreement (SLA) violations by one or more tunnels in the SD-WAN using a machine learning-based regression model. The service identifies a root cause of the seasonal SLA violations by determining whether the root cause of the seasonal SLA violations is associated with an internal network connected to the one or more tunnels. The service further identifies the root cause by determining whether the root cause of the seasonal SLA violations is associated with a particular service provider network over which the one or more tunnels traverse by associating the seasonal SLA violations with SLA violations by tunnels in other SD-WANs that also traverse the particular service provider network. The service initiates a corrective measure based on the determined root cause of the seasonal SLA violations by the one or more tunnels.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: In one embodiment, a device classification service receives telemetry data indicative of behavioral characteristics of a plurality of devices in a network. The service obtains side information for the telemetry data. The service applies metric learning to the telemetry data and side information, to construct a distance function. The service uses the distance function to cluster the telemetry data into device clusters. The service associates a device type label with a particular device cluster.

Abstract: In one embodiment, a device constructs a set of controlled what-if input parameters for evaluating a what-if scenario in a network. The device uses the set of controlled what-if input parameters and state data indicative of a current state of the network as input to a network state model. The network state model predicts values for the state data conditioned on the what-if input parameters. The device predicts a key performance indicator (KPI) in the network by using the predicted values for the state data from the network state model as input to a machine learning-based KPI prediction model. The device initiates a routing change in the network based in part on the predicted KPI.

Abstract: In one embodiment, a device obtains performance data regarding failures of a tunnel in a network. The device generates a failure profile for the tunnel by applying machine learning to the performance data regarding the failures of the tunnel. The device determines, based on the failure profile for the tunnel, whether the tunnel exhibits failure flapping behavior. The device adjusts one or more Bidirectional Forwarding Detection (BFD) probing timers used to detect failures of the tunnel, based on the determination as to whether the tunnel exhibits failure flapping behavior.

Abstract: In one embodiment, a device identifies a new traffic flow in a network. The device determines a service level agreement (SLA) associated with the new traffic flow. The device uses a machine learning model to predict whether a particular tunnel in the network can satisfy the determined SLA of the traffic were the traffic flow routed onto the tunnel. The device performs call admission control to route the new traffic flow onto the particular tunnel, based on a prediction that the tunnel can satisfy the determined SLA of the traffic.

Abstract: In one embodiment, a service in a network computes an expected information gain associated with rerouting traffic from a first tunnel onto a backup tunnel in the network. The service initiates, based on the expected information gain, rerouting of the traffic from the first tunnel onto the backup tunnel. The service obtains performance measurements for the traffic rerouted onto the backup tunnel. The service uses the performance measurements to train a machine learning model to predict whether rerouting traffic from the first tunnel onto the backup tunnel will satisfy a service level agreement (SLA) of the traffic.

Abstract: In one embodiment, a device predicts a failure of a first tunnel in a software-defined wide area network (SD-WAN). The device determines that no backup tunnel for the first tunnel exists in the SD-WAN that can satisfy one or more service level agreements (SLAs) of traffic on the first tunnel, were the traffic rerouted from the first tunnel onto that tunnel. The device predicts, using a machine learning model, that a backup tunnel for the first tunnel exists in the SD-WAN that can satisfy an SLA of a subset of the traffic on the first tunnel, in response to determining that no backup tunnel exists in the SD-WAN that can satisfy the one or more SLAs of the traffic on the first tunnel. The device proactively reroutes the subset of the traffic on the first tunnel onto the backup tunnel, in advance of the predicted failure of the first tunnel.

Abstract: In one embodiment, a device predicts a failure of a first tunnel in a software-defined wide area network (SD-WAN). The device makes a prediction as to whether a second tunnel in the SD-WAN will satisfy a service level agreement (SLA) associated with traffic on the first tunnel. The device proactively reroutes the traffic from the first tunnel onto the second tunnel, based on the prediction as to whether that the second tunnel will satisfy the SLA of the traffic. The device monitors one or more quality of service (QoS) metrics for the rerouted traffic, to ensure that the second tunnel satisfies the SLA of the traffic.